Microsoft Information Protection: Planning Your Sensitive Labels

Hey guys and girls, hope you guys are having a great weekend! Remember to stay healthy and stay safe as your priority.

Today’s blog is more towards talking about the Microsoft information protection labels, how to plan before deploying it. Each organization has their own preferences and requirements. Planning is a crucial part of every deployment especially when the deployment would have to roll-out to the users to use it for their daily work. Layman is the key to the users understanding.

Some organization have a compliance team and some does not have it. Having a compliance team would able to make this deployment much more clearer in terms of what the organization needs. If the organization does not have a compliance team, then we would help to identity together in terms what do they require only. Labels are structure in the form of priorities, so best to make it simple, and easier for administrator to manage too.

Phase 1: Give them the feel and look

Microsoft do provide default labels to organization, you can roll-out these default labels to smaller team or compliance team, allowing them to play around with it for a period of time. This allows them to have an idea how sensitive labels works and coming out a template would be easier for them. Having a template is the quickest way and easier way to roll-out the labels.

Default labels

Phase 2: Feedback and Drafting Template

Getting feedback and drafting template phase, is a closer phase to rolling out the labels that suits the organization needs. In this phase, there are few items that you would need to involve into and would take a bit of time,

  • Categories the labels based on location (Exchange online, SPO, OneDrive and etc)
    • There is difference in terms of protection features for each location
  • What can or can’t do in the labels
  • Users description about the labels (keep it as layman as you can)
  • Priority of the labels
  • Design structure of the labels/sub-labels (Simple is better)
  • Permissions (Flexible or Set)
  • Action for the priority labels (Flexible, Warning or Strict-Justification)
  • Customization notifications (Majority would decide to maintain the default, so you don’t need to spend too much time on this part)

Here are some design types that you can reference,

Design type 1

This design is for organization that would like to remain some default labels, and has new labels for other departments and its purposes. No sub-labels to be manage.

Design type 2

This design is for organization that would wish to keep some default labels but does not want to have other new labels to manage. Has sub-labels to manage.

Design type 3

This design is for organization that would like to manage their labels in the form of departments and with each department has their own labels. I wouldn’t recommend this though, because is complicated. As I mention earlier, labels are arrange in the form of priority.

Phase 3: Final Template

This is the phase where you can start to roll-out the final template of the labels back to the small team or compliance team to give it one last confirmation.

References:

  1. https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
  2. https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide

MDM: Preventing Meeting Room devices registered to Intune by user account

Hey guys and girls, happy new year and hope you guys are healthy and safe!
I’ve come across of issues of users kept login their own corporate user accounts into a meeting room device through Microsoft Teams. Thus, this will also registered the meeting room device under the user’s account.

Kept manually deleting the devices objects from the user account is not flexible to administrators. Clean up is really not something that as administrators has to do every time a user uses that meeting room device. Our meeting room devices are not hybrid join. So this solution does not really impact the Windows license but this does not mean it would not cause issue for your environment. Recommended that you test it out at your lab environment. Our meeting room devices are custom made/design.

I was able to came across an article that really helps my situation. This solution require to modify the device’s registry editor.

Note:

Please run a lab test.

  1. Launch the registry editor on the affected machine
  2. Direct to this location HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin
  3. Create a new DWORD item and name it BlockAADWorkplaceJoin with the value of 1
  4. Reboot the machine
  5. You may run a command line “dsregcmd /status” to check the MDM status
    • WorkplaceJoined: No
    • SSO state: No

If you have multiple devices that you would need to apply this settings you could export and save this registry settings or use PowerShell method. You may refer the PowerShell method via the references below.

References:

  1. https://msendpointmgr.com/2021/03/11/are-you-tired-of-allow-my-organization-to-manage-my-device/
  2. https://support.microsoft.com/en-us/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692

Microsoft Endpoint Manager: Troubleshoot Hybrid Device Joined

Good day everyone, hope you all are taking care of your health and safety during this pandemic. Hope you guys are also getting your booster shots.

Today’s issue is related to Microsoft Endpoint Manager, on hybrid device joined. I notice that when a device’s Azure AD Registered icon is removed from the Endpoint Manager portal and if the machine didn’t reboot immediately and leaving the device there for more than an hour after I have made the changes in the portal, the device will have issue in joining/registering as hybrid join.

There is this cache that the device stored, I’m not too sure about what is the refresh time that the device retrieve the new update from portal.

Symptoms that your hybrid join was not successful:

  1. The device’s Register status keeps showing/stuck at Pending, at Endpoint Manager
  2. The device’s MDM status keeps showing/stuck System Center Configuration instead of Microsoft Intune, at Endpoint Manager
  3. Command prompt keeps showing the MDM warning, when I perform “gpupdate /force” even though the machine’s object is no longer found in Endpoint Manager
  4. In the dsregcmd /status shows the DeviceAuth: Failed.Device is either disconnected or deleted.

Steps to resolve:

  1. First clear the machine object from Endpoint Manager
  2. Run an Azure AD Connect synchronization from on-premises
  3. Once the Azure AD Connect synchronization completed then proceed to the next step…
  4. Reboot the machine
  5. Launch the command prompt as administrator on the affected machine, and run the following command “dsregcmd /leave”
  6. Then run “dsregcmd /status”, check to make sure the the device is unjoined
  7. Go to the registry editor, “HKLM\SOFTWARE\MICROSOFT\Enrollments” delete all the GUID looking keys
  8. Reboot the machine
  9. Try again the hybrid join procedure

If you can’t delete some of the keys due to the system not allow, then it is fine, you can proceed deleting the ones that can delete.

References:

  1. https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/pending-devices
  2. https://www.itpromentor.com/troubleshooting-weird-azure-ad-join-issues/

Exchange Migration: Windows 10’s Outlook kept prompting after turn off modern authentication

If you had read my previous/recent post about exchange migration on Windows 7, then today I’m writing a post about Windows 10. https://sabrinaksy.com/2021/10/14/exchange-migration-outlook-kept-prompting-for-password-after-migration/

It seems that after we turn off the modern authentication, there was no more further prompt issues with Windows 7 but Windows 10 on the next day is receiving prompt and with the user name shows as “contoso.onmicrosoft.com” domain instead of the “contoso.com” registered domain or default domain.

After research, we notice Microsoft just recently release an enforcement towards basic authentication on 1st October 2021. Hence, we have no choice to look for workarounds for Windows (7 and 10) to support Modern Authentication. The only workaround is to create a registry and amend them to the Windows machines.

Workaround

  1. Create a Group Policy Object in your Active Directory environment
  2. Under the Computer > Preferences > Windows Settings > Registry
  3. Create a new registry item
  4. This is the registry item that we want to create
    • Path: HKEY_CURRENT_USER\Software\Microsoft\Exchange
    • Value Name: AlwaysUseMSOAuthForAutoDiscover
    • Value: 1
    • Type: REG_DWORD
  5. Once you have created this policy and link it to the particular organization unit that contains the Windows machines
  6. Run a force group policy update from the Active Directory server
  7. Go back to the Office 365 admin center portal with Global administrator rights
  8. Settings > Org Settings > Modern Authentication > Turn on modern authentication
  9. Make sure you select all of the items under the modern authentication

  1. Monitor for the next 24 to 48 hours, for further prompt issues
  2. If there’s issues, troubleshoot the machine and check is registry amended if not just manually run it

You can always export the registry settings as .reg file format, so is easier to install on the affected machine(s) just by double clicking the .reg file.

How to export the registry file?

You can use the PowerShell’s Invoke-Command

Invoke-Command {reg export 'HKEY_CURRENT_USER\Software\Microsoft\Exchange' C:\Temp\ModernAuth.reg}

References:

  1. https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210
  2. https://docs.microsoft.com/en-us/outlook/troubleshoot/authentication/outlook-prompt-password-modern-authentication-enabled

Azure AD Connect: Synchronization status is Completed with error

Recently I deployed Azure AD Connect server and I notice there are lots of updates and changes made to the latest version of Azure AD Connect application.

The latest version of Azure AD Connect is 2.0. There are few conditions required to follow before setting up the Azure AD Connect application to be running smoothly.

Now there is a new requirement for the service account that is assign for Azure AD Connect application purpose only, the service account must be a member of Administrators group in your local Active Directory. Without this permission, you will faced the synchronization status shows as “completed-with-error” and “permission-denied-access“. You will have trouble in terms of password synchronization.

To further view of what’s new with the version 2.0, you may refer to the references below.

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect-v2
  2. https://www.microsoft.com/en-us/download/details.aspx?id=47594

Exchange Migration: Outlook kept prompting for password after migration

Hi guys and girls, hope you are doing well, as the pandemic is still on-going, hope that you guys are keeping cleanliness and safety first.

Today’s topic is about exchange migration of mailboxes from on-premises to Office 365. This issue is where the legacy windows client or legacy office apps has issue with their outlook applications keeps prompting for credentials and showing disconnection. The issue also do happen to Windows 10 machines but not as aggressive as the Windows 7 machines.

This environment has the following items,

  1. Exchange server: 1 unit, version 2013, CU23 (latest)
  2. Windows client: Combination of Windows 7 and Windows 10
  3. Office applications: Combination of 2013, 2016, 2019 and Microsoft 365 apps for business in both windows 7 and windows 10 categories
  4. Migration method: Remote move migration
  5. Hybrid establishment: Yes
  6. Microsoft 365 license: Business standard/basic

As we all know that the major pre-requisites must met before starting the hybrid and perform migration.

We notice intermittent connections while running the Wireshark on Windows 7 with M365 business apps, while trying to login using the migrated account credential on an Outlook app. We ran a re-creation of the outlook profile and the prompt for credential has stops. This is definitely not the right solution. Solutions is dependent with what caused the issue.

At first we suspected something got to do whitelisting on the network layer but we had confirmed that the whitelisting are correctly configured. Next, we suspected something go to do with compatibility on windows with/or office apps version. This is not a very good idea. After quick research, I came about modern authentication could be the caused, and there where I had an idea on suggesting to turn off the security default in Azure portal and then turn off the modern authentication in Office 3655 tenant. After 10 to 15 mins, the intermittent connections no longer shows up on the Wireshark.

Modern authentication is enabled by default for every new Office 365 tenants, so please be aware if your environment has legacy windows client running or legacy office applications, do consider to turn them off first before proceeding to deploy Microsoft 365 apps.

Azure portal > Azure AD > Properties > Manage security defaults
Office 365 admin center > Settings > Org Settings > modern authentication

Modern authentication was the one the interfered with the machines and it kept challenging the users to key in credentials due to the compatibility was not met. Once the modern authentication is turn off, the environment now is running basic authentication.

References:

PowerShell: Basic Understanding of Rows and Columns and CSV file

What’s up ladies and dudes!

Relation in this topic:

  1. Rows and Columns
  2. Loops
  3. CSV file
  4. PowerShell

I think playing with Rows and Columns is every beginner programmer’s nightmare. Rows and Columns concept is all the same for all coding languages. There’s no black magic here. Is all about the basic understanding and common sense. I’ve seen many fresh graduate find it difficult to understand the rows and columns and tend to overthink and turn their codes into a complex dark hole.

What you understand?

You come about FOR LOOP, WHILE LOOP or DO…WHILE LOOP. To identify Rows and Columns in loops form, let’s take FOR Loop as example, so below image is how you use the FOR Loop concept to get or apply table values. Inner FOR loop is define as your column, and the outer FOR loop define as your row.

So clear about it? In PowerShell, the concept is the same but it has been simplify with a command “Import-csv“.

What the beginners does?

This is the sample code that I have seen too much, in the beginners.

By apply this you will get duplicated result;

How PowerShell does it?

Now, let’s see the code for PowerShell, I’m going to show you how you get value list of rows and columns from Excel file, aka CSV file format.

This is the csv file for example, we have 2 columns with naming/attribute, UserPrincipalName and EmailAddresses as the first row. This is the view from excel and the view from notepad is different. Notepad, the columns are separated by a delimiter “,”

To put them into PowerShell, you just need a single FOR Loop to perform.

Lets output the result you will get is this, if you want to beautify your result is possible.

Is just that simple!

Azure: Troubleshoot Azure Information Protection installer via Intune

What’s up ladies and dudes!

Today’s topic is about the Azure Information Protection installer, yes is the MSI installer, AzInfoProtection_UL.msi.

Every MSI application you would need to use this following command to install them into the machine “msiexec /i <application name> /quiet“, but somehow for this case YOU DON’T NEED IT!

Basically you would just leave the command-line arguments empty.

References:

  1. https://www.microsoft.com/en-us/download/details.aspx?id=53018

Azure: Troubleshooting Conditional Access App Control for iOS

Good day everyone. Even with the Covid-19 is rising drastically in Malaysia, kind of brings my hopes down. Anyway, I still have to keep going with life.

Today’s topic is about the Azure’s conditional access policy. We found a bug in conditional access for iOS device platform. So basically our situation is that, if we would need the conditional app control to be functioning in the Cloud App Security, we would need to setup a conditional access policy. Our setup was only to achieve monitoring mode only. However, after enabling the policy we retrieve reports saying that all iOS devices are having trouble accessing their exchange online. Users are receiving an email notification, stating that their exchange online access is being blocked. We had to disable the policy temporary to troubleshoot it.

This was the email notification:

No Exchange Server, just Exchange Online
  • This was our configuration for the conditional access policy;
    • Assignment: Include a test group, Exclude the VIP accounts
    • Cloud apps: All cloud apps
    • Conditions: None
    • Session: Use conditional app control (Monitor Only)

So this is the Microsoft article shows how the configuration/enablement is being setup in the conditional access in order for the app control to work, as you can see there weren’t any conditions being setup. Hence, it should not be doing any requirements checking or blocking.

There are not enough explanation
As you can see the condition shows zero

To be honest, I had raise ticket to MCAS, Exchange Online and Azure team, and none of them able to get back to me an answers. MCAS team state that “no conditions are setup it SHOULD NOT be performing blocking”.

I had to stop relying the Microsoft Support for this case, as I had to find a way to identify it. So based on the image above, we can see that the article is not mature enough, because there weren’t any solid references or notes stating the limitations/restriction of monitor only of conditional app control.

Upon further checking, I had to analyze the logs of Azure Sign-in activity and Cloud App Security Activity log of that user whom experience the issue. We notice that the sign-in was shown as “Interrupted” and there was no failure sign in status. For your information, the iOS version is 14.

Error code 1: This is not an error – this is an interrupt that triggers device authentication when required due to a Conditional Access policy or because the application or resource requested the device ID in a token. This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that the device authentication challenge was passed succesfully or failed.

Error code 2 : This is an expected part of the login flow, where a user is asked if they want to remain signed into this browser to make further logins easier. For more details, see https://techcommunity.microsoft.com/t5/Azure-Active-Directory/The-new-Azure-AD-sign-in-and-Keep-me-signed-in-experiences/td-p/128267

Error code 3: 50097

Another finding was that there weren’t any Exchange mobile device access policy/rules being configure to perform the blocking.

I do know that once this conditional app control is enabled there will have this prompt page before entering into the Exchange online, this is my iPad Air by the way, running on the latest version. The prompt page can be turn off though. Anyway, that is not the case here. I ran a test to mimic the situation but I didn’t experience any email notification send to me stating my exchange online access is being blocked. There is no MFA or Biometric setup on my iPad.

The questions still lies is there a pre-requisites for iOS devices for conditional access policy, even though there is no conditions being set?

Below is image from web browser;

Below image from my iOS outlook app;